Data Security and the Target Holiday Breach

As the amount of consumer information stored and analyzed online by large corporations increases, the risk of identity theft and consumer fraud also greatly increase. In December, credit and debit card information of approximately 40 million Target customers was stolen when the Target computer systems were breached. This theft also included the personal identification numbers, or PINs, of all of the cards, though in encrypted form. And recently, on January 10, Target announced that names, mailing addresses, phone numbers or email addresses for up to 70 million customers were also stolen in the data breach, customers not necessarily related to card holders already affected. This security breach of Target’s computer systems marks one of the largest to ever, with upwards of 100 million individuals affected. In response, Target is offering one year of free credit monitoring from the credit bureau Experian, as long as customers request an authorization code from Target and activate it by April 30. Although this seems to be a step in the right direction, simply providing a free notification service will not protect the consumer against identity theft or fraudulent charges on their cards.

This incident reflects the vulnerability of customer data and the need for improved protection. It is still unclear how this theft was carried out, however; therefore, it is impossible to determine what additional precautions are needed. Target is working with the Secret Service and the Department of Justice to identify the entity or individual behind the attack. Consumer advocates point to Target’s practice of data mining, the practice of determining shopping habits and preferences by analyzing customer information, as a potential cause of the weakness in security. This raises the issue of determining the limits that should be placed on large retailers in their ability to exploit the personal data that they collect through consumer transactions.

In response to this event, a group of Senators are unveiling a new data security bill that aims to protect consumers from having their identities stolen or being harmed by fraud. The purpose of the bill is to remedy the “patchwork” of laws that states have enacted on their own to deal with data security by establishing a set of national data security standards. For example, the Act would require certain protective measures, as well as a standard notification process when potential breaches occur. Also, it would require the notification of certain agencies when a customers-at-risk threshold is met.

It will be interesting to see how the lawsuits against Target unfold, and whether this high-profile data breach will be enough to put this — or another — new data security law in place.